fix(dns): wrap hostname-mismatch error as DNSZoneValidationError

wenyingd · cursoragent · wenyingd · commit fc50f25762d1 · 2026-05-14T18:11:07.000+08:00
ValidateEndpointsByZone returned a plain fmt.Errorf when a hostname
did not match any allowed DNS zone. The controller only updates the
DNSRecordReady condition on *DNSZoneValidationError, so the condition
was left stale (True) while the reconciler looped with exponential
backoff.

Also fix both early-exit paths in the endpoint loop to return the
already-computed allowedZones instead of nil, so the controller can
correctly scope the stale-record cleanup to out-of-zone records.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/pkg/nsx/services/dns/recordservice_test.go b/pkg/nsx/services/dns/recordservice_test.go
@@ -227,15 +227,17 @@ func TestValidateEndpointsByZone_table(t *testing.T) {
 	ncWithoutDNSZones.Spec.DNSZones = nil
 
 	tests := []struct {
-		name       string
-		nc         *v1alpha1.VPCNetworkConfiguration
-		vpcErr     error
-		buildOwner func(ns string) *ResourceRef // nil → tableOwner(ns)
-		ns         string
-		eps        []*extdns.Endpoint
-		wantZone   string
-		errSub     string
-		wantN      *int // when non-nil, assert len(rows)==*wantN instead of len(eps)
+		name            string
+		nc              *v1alpha1.VPCNetworkConfiguration
+		vpcErr          error
+		buildOwner      func(ns string) *ResourceRef // nil → tableOwner(ns)
+		ns              string
+		eps             []*extdns.Endpoint
+		wantZone        string
+		errSub          string
+		wantZoneValErr  bool              // error must be *DNSZoneValidationError
+		wantAllowedOnErr map[string]string // non-nil: allowedZones must equal this on error
+		wantN           *int // when non-nil, assert len(rows)==*wantN instead of len(eps)
 	}{
 		{
 			name: "happy_path",
@@ -244,9 +246,10 @@ func TestValidateEndpointsByZone_table(t *testing.T) {
 			wantN: intPtr(1),
 		},
 		{
-			name: "no_DNS_zones_in_VPC_spec",
-			nc:   ncWithoutDNSZones,
-			ns:   "n", eps: []*extdns.Endpoint{ep}, errSub: "no DNS zones are permitted for the namespace",
+			name:           "no_DNS_zones_in_VPC_spec",
+			nc:             ncWithoutDNSZones,
+			ns:             "n", eps: []*extdns.Endpoint{ep}, errSub: "no DNS zones are permitted for the namespace",
+			wantZoneValErr: true,
 		},
 		{
 			name:   "GetVPCNetworkConfigByNamespace_error",
@@ -278,10 +281,23 @@ func TestValidateEndpointsByZone_table(t *testing.T) {
 			buildOwner: func(ns string) *ResourceRef {
 				return &ResourceRef{Kind: "UnknownKind", Object: &metav1.ObjectMeta{Namespace: ns, Name: "x"}}
 			},
-			ns:     "tenant",
-			eps:    []*extdns.Endpoint{ep},
-			errSub: "unsupported resource kind",
-			wantN:  intPtr(0),
+			ns:             "tenant",
+			eps:            []*extdns.Endpoint{ep},
+			errSub:         "unsupported resource kind",
+			wantZoneValErr: true,
+			wantAllowedOnErr: map[string]string{testDNSZonePathT: "example.com"},
+			wantN:          intPtr(0),
+		},
+		{
+			// hostname does not lie under any allowed zone → must be *DNSZoneValidationError
+			// and allowedZones must still be returned so the controller can clean up stale records.
+			name:             "hostname_not_in_zone_is_DNSZoneValidationError_with_allowedZones",
+			nc:               testVPCNetworkConfiguration(), // zone = example.com
+			ns:               "tenant",
+			eps:              []*extdns.Endpoint{extdns.NewEndpoint("svc.other.example", extdns.RecordTypeA, "10.0.0.1")},
+			errSub:           "does not match any allowed DNS domain",
+			wantZoneValErr:   true,
+			wantAllowedOnErr: map[string]string{testDNSZonePathT: "example.com"},
 		},
 	}
 	for _, tt := range tests {
@@ -295,6 +311,13 @@ func TestValidateEndpointsByZone_table(t *testing.T) {
 			if tt.errSub != "" {
 				require.Error(t, err)
 				require.Contains(t, err.Error(), tt.errSub)
+				if tt.wantZoneValErr {
+					var zve *DNSZoneValidationError
+					require.ErrorAs(t, err, &zve, "expected *DNSZoneValidationError")
+				}
+				if tt.wantAllowedOnErr != nil {
+					require.Equal(t, tt.wantAllowedOnErr, allowed, "allowedZones must be returned even on error")
+				}
 				return
 			}
 			require.NoError(t, err)
diff --git a/pkg/nsx/services/dns/zones.go b/pkg/nsx/services/dns/zones.go
@@ -101,12 +101,12 @@ func (s *DNSRecordService) ValidateEndpointsByZone(namespace string, owner *Reso
 		}
 		recName, zonePath, parseErr := s.getZonePathForHostname(z, ep.DNSName)
 		if parseErr != nil {
-			return nil, nil, parseErr
+			return nil, allowedZones, &DNSZoneValidationError{Msg: parseErr.Error()}
 		}
 		log.Debug("Mapped DNS endpoint to zone", "dnsName", ep.DNSName, "zonePath", zonePath, "recordName", recName)
 		row, validErr := s.validateEndpointRowConflict(zonePath, ep, recName, owner)
 		if validErr != nil {
-			return nil, nil, &DNSZoneValidationError{Msg: "DNS endpoint validation failed for DNS zone policy", Cause: validErr}
+			return nil, allowedZones, &DNSZoneValidationError{Msg: "DNS endpoint validation failed for DNS zone policy", Cause: validErr}
 		}
 		rows = append(rows, *row)
 	}

Original file line number	Diff line number	Diff line change
`@@ -101,12 +101,12 @@ func (s DNSRecordService) ValidateEndpointsByZone(namespace string, owner Reso`
`101`	`101`	`}`
`102`	`102`	`recName, zonePath, parseErr := s.getZonePathForHostname(z, ep.DNSName)`
`103`	`103`	`if parseErr != nil {`
`104`		`- return nil, nil, parseErr`
	`104`	`+ return nil, allowedZones, &DNSZoneValidationError{Msg: parseErr.Error()}`
`105`	`105`	`}`
`106`	`106`	`log.Debug("Mapped DNS endpoint to zone", "dnsName", ep.DNSName, "zonePath", zonePath, "recordName", recName)`
`107`	`107`	`row, validErr := s.validateEndpointRowConflict(zonePath, ep, recName, owner)`
`108`	`108`	`if validErr != nil {`
`109`		`- return nil, nil, &DNSZoneValidationError{Msg: "DNS endpoint validation failed for DNS zone policy", Cause: validErr}`
	`109`	`+ return nil, allowedZones, &DNSZoneValidationError{Msg: "DNS endpoint validation failed for DNS zone policy", Cause: validErr}`
`110`	`110`	`}`
`111`	`111`	`rows = append(rows, *row)`
`112`	`112`	`}`